EP2469763B1 - LTE network call correlation during user equipment mobility - Google Patents

LTE network call correlation during user equipment mobility Download PDF

Info

Publication number
EP2469763B1
EP2469763B1 EP11194008.6A EP11194008A EP2469763B1 EP 2469763 B1 EP2469763 B1 EP 2469763B1 EP 11194008 A EP11194008 A EP 11194008A EP 2469763 B1 EP2469763 B1 EP 2469763B1
Authority
EP
European Patent Office
Prior art keywords
context data
next hop
user
context
monitoring system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP11194008.6A
Other languages
German (de)
English (en)
French (fr)
Other versions
EP2469763A1 (en
Inventor
Antonio Bova
Vignesh Janakiraman
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tektronix Inc
Original Assignee
Tektronix Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tektronix Inc filed Critical Tektronix Inc
Publication of EP2469763A1 publication Critical patent/EP2469763A1/en
Application granted granted Critical
Publication of EP2469763B1 publication Critical patent/EP2469763B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/08Testing, supervising or monitoring using real traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/04Interfaces between hierarchically different network devices
    • H04W92/12Interfaces between hierarchically different network devices between access points and access point controllers

Definitions

  • Embodiments are directed, in general, to monitoring data packets on an LTE network and, more specifically, to deciphering captured data packets during user equipment handover.
  • UE User Equipment
  • eNodeB enhanced Node B
  • MME Mobility Management Entities
  • AKA Authentication and Key Agreement
  • the AKA process also generates keys for ciphering traffic between the UE and the network.
  • AKA process is complete, most of the message traffic exchanged between the UE and the network is ciphered before transmission. The ciphered traffic cannot be read unless the receiving party has the key that the sending party used to cipher the messages.
  • Document EP 2 219 323 A1 describes a real-time network data analysis system.
  • the arrangement has a connection from an user plane analysis appliance to a network in an S1 interface of a 3GPP LTE-node eNodeB.
  • the eNodeB has a connection to an MME in a core network EPC through the interface S1.
  • the traffic is monitored in this interface.
  • Network operators may monitor an LTE network using monitoring equipment that captures and analyzes Packet Data Units (PDUs) from network interfaces. These PDUs may be correlated to create session records on a per user basis. However, the PDUs cannot be easily correlated if they are ciphered.
  • the monitoring equipment must have the correct keys to decipher the PDUs.
  • a UE attaches to the network and establishes cipher keys with the network. The monitoring system must capture the cipher keys or the information used to generate the cipher keys when the UE attaches, or it will be unable to decipher messages associated with the UE.
  • an MME For UE mobility in which a UE is handed over from one eNodeB to another, an MME has the cipher keys for the UE and knows which eNodeB will be the target of the handover.
  • a network monitoring system can obtain initially the keys required to decipher the traffic from the AKA procedure on S1-MME interface towards the source eNodeB..
  • the MME will send a handover request message to the target eNodeB, but this message does not specifically identify the UE or provide an obvious mechanism to link the call legs among different eNodeBs.
  • the monitoring system can observe that a handover has occurred, but cannot determine which UE is involved.
  • the UE After handover, the UE will use the existing security context to communicate with the new eNodeB.
  • the UE attaches to the target eNodeB typically it will not initiate a new AKA procedure, so the monitoring equipment will not be able to capture the keys needed to decipher the traffic after handover.
  • the monitoring equipment can use the Next Hop (NH) key parameter that is sent in the handover request message.
  • This key has the role of "forward security" in the network and it is derived by the MME with a chaining derivation, starting from the K ASME and K eNb keys.
  • the monitoring equipment has the K ASME (Key Access Security Management Entries) and K eNB (eNodeB Key) for the UE prior to handover. Using these keys, it can calculate the Next Hop Chaining Counter (NCC) and NH values as well.
  • NCC Next Hop Chaining Counter
  • the monitoring system can store the NH and NCC values and will use them to link the call legs together for different eNodeBs.
  • FIGURE 1 is a block diagram illustrating the LTE (Long Term Evolution)/SAE (System Architecture Evolution) network architecture.
  • the LTE/SAE network technology represents mobile network evolution to provide high-rate IP-based services.
  • the standardization entity in charge of specifying the mobile standards which is known as the 3 rd Generation Partnership Project (3GPP), has defined standards for mobile telecommunication systems, including both the radio access and the core network evolution.
  • the standard is named Evolved Packet System (EPS), and it specifies the evolution of the UTRAN access network - the evolved UTRAN (eUTRAN) 101 - and the concurrent evolution of the Core network - the Evolved Packet Core (EPC) 102.
  • EPS Evolved Packet System
  • LTE and SAE are commonly used synonyms for eUTRAN 101 and EPC 102, respectively.
  • the network comprises a number of different types of network nodes and interfaces.
  • the nodes include, for example, an enhanced NodeB (eNodeB or eNb) 103, Mobility Management Entity (MME) 104, Home Subscriber Service (HSS) 105, Serving Gateway (S-GW) 106, and Packet Data Network Gateway (PDN-GW) 107.
  • eNodeB or eNb enhanced NodeB
  • MME Mobility Management Entity
  • HSS Home Subscriber Service
  • S-GW Serving Gateway
  • PDN-GW Packet Data Network Gateway
  • the goal of the EPS technology is to significantly enhance the bandwidth available to users and, at the same time, improve the Quality of Service (QoS) of the radio connection..
  • QoS Quality of Service
  • User Equipment (UE) 108 is the subscriber endpoint of the end-to-end services.
  • UE 108 communicates over the Uu interface to eNodeBs 103 on the radio path.
  • eNodeB (103) manages the radio path to UE 108 and hosts the physical radio establishment, radio link control, and medium access control functions.
  • eNodeB 103 also encrypts and decrypts data toward the radio path and handles the radio resource admission and management.
  • MME 104 is the node responsible for managing the non access stratum (NAS) control plane messages from/to the UE 108.
  • MME 104 plays a role in selecting S-GW 106 for user plane traffic, coordinates handover in LTE/SAE, and establishes the necessary connections to HSS 105 for authentication and security procedures.
  • MME 104 also coordinates the bearer assignment to the UE 108.
  • HSS 105 has a role similar to the 3G HLR (Home Location Register).
  • HSS 105 maintains subscriber profile and subscription data, subscriber identifiers (e.g. International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network Number (MSISDN)), and subscriber authentication and security data.
  • IMSI International Mobile Subscriber Identity
  • MSISDN Mobile Subscriber Integrated Services Digital Network Number
  • HSS 105 is the endpoint for UE 108 location updating procedures coming from MME 104.
  • S-GW 106 is the endpoint of user plane connections from eNodeB nodes 103.
  • S-GW 106 is an anchor for user plane connections in case of UE handover between eNodeBs 103.
  • PDN-GW (107) is the network node that provides an interface between the EPC with external PDN networks, such as the Internet 115.
  • the LTE/SAE network often interfaces with nodes from existing 3G networks, such UTRAN (Universal Terrestrial Radio Access Network) and GERAN (GSM EDGE Radio Access Network) networks 109.
  • Serving GPRS Support Node (SGSN) 110 plays a role in S-GW or MME selection and coordinates with MME 104 for handover coordination in the case of inter-RAT (radio access technologies) handovers between UTRAN/GERAN 109 and eUTRAN 101.
  • Radio Network Controller (RNC) 111 also provides an interface to the 3G UTRAN network 109. In case of handovers to/from UTRAN 109 and "direct tunneling" architecture, RNC 111 may be the endpoint of data connections to/from S-GW 106.
  • the tasks of measuring network performance, troubleshooting network operation, and controlling network service behavior can be very difficult for the network operator.
  • Evolution of the network such as the introduction and deployment of new network technology, causes additional instability and further problems in network measurement, troubleshooting and control.
  • network operators often make use of external monitoring systems.
  • These monitoring systems are typically connected to the network in a non-intrusive mode that allows them to sniff data from the network interfaces, processing the data and provide measurements and reports that help the network operator to manage its network.
  • the monitoring system typically needs to track the UEs' activities in order to provide detailed analysis of the services used by the subscribers and to collect information about the network's behavior for troubleshooting and optimization purposes.
  • a monitoring system 112 may be coupled to links in the LTE/SAE network to passively monitor and collect signaling data from one or more interfaces in the network.
  • Monitoring system 112 may collect user plane and control plane data from the EPC and eUTRAN interfaces, including, for example, the S1-MME, S6a, S10, and S11 interfaces that have an MME 104 as an endpoint and S1-MME and X2 interfaces that have an eNodeB 103 as an endpoint. It will be understood that some or all of the other interfaces or links in the network may also be monitored by monitoring system 112.
  • the monitoring system 112 may comprise, in one embodiment, one or more processors running one or more software applications that collect, correlate and analyze Protocol Data Units (PDU) and data packets from eUTRAN 101 and EPC 102.
  • PDU Protocol Data Unit
  • Monitoring system 112 may incorporate protocol analyzer, session analyzer, and/or traffic analyzer functionality that provides OSI (Open Systems Interconnection) layer 2 to layer 7 troubleshooting by characterizing IP traffic by links, nodes, applications and servers on the network.
  • OSI Open Systems Interconnection
  • Such functionality is provided, for example, by the GeoProbe G10 platform, including the Iris Analyzer Toolset applications and SpIprobes, from Tektronix Incorporated.
  • FIGURE 1 a single monitoring system probe is illustrated in FIGURE 1 , it will be understood that this is for the sake of simplification and that any number of interconnected monitoring system probes may be coupled to one or more interfaces within the LTE/SAE network.
  • a single monitoring probe may capture data from a particular interface, or two or more probes may be coupled to one interface.
  • Monitoring system 112 may be coupled to network interfaces via packet capture devices, such as high-speed, high-density probes that are optimized to handle high bandwidth IP traffic. Monitoring system 112 passively captures message traffic from the interfaces without interrupting the network's operation. A service provider or network operator may access data from monitoring system 112 via user interface station 113. Monitoring system 112 may further comprise internal or external memory 114 for storing captured data packets, user session data, call records configuration information, and software application instructions. Monitoring system 112 may capture and correlate the packets associated specific data sessions on network interfaces. In one embodiment, related packets can be correlated using a 5-tuple association mechanism.
  • the 5-tuple association process uses an IP correlation key that consists of 5 parts - server IP address, client IP address, source port, destination port, and Layer 4 Protocol (TCP or UDP or SCTP).
  • IP correlation key consists of 5 parts - server IP address, client IP address, source port, destination port, and Layer 4 Protocol (TCP or UDP or SCTP).
  • TCP or UDP or SCTP Layer 4 Protocol
  • the related packets can be combined into a record for a particular flow, session or call on the network.
  • monitoring system 112 may be an active component, such as a software agent, that resides on an EPC node, such as on MME 104, for example, and that captures data packets passing into or out of the node.
  • an active component such as a software agent
  • monitoring system must detect S1-based handover, wherein the UE moves from a source eNodeB to a target eNodeB with the coordination of the MME.
  • S1-based handover wherein the UE moves from a source eNodeB to a target eNodeB with the coordination of the MME.
  • X2-based handover wherein mobility is performed directly by an eNodeB pair (source and target nodes) that only inform the MME about the successful completion of the handover procedure.
  • the NAS traffic between an UE and an MME is typically ciphered using specific security keys and security material. Being able to correlate the correct security key and material during a handover is not a trivial task, due to the nature of non-intrusive monitoring system 112 placed as a "man-in-the-middle" sniffing the traffic. Embodiments of the monitoring system 112 correlate and retrieve the correct security material in case of either S1-based or X2-based handover. This correlation allows the monitoring system to properly bind the source and target path of the connection during specific handover scenarios. For example, the monitoring system will generate a first call record for a particular UE when it attaches to a first eNodeB (first leg).
  • first eNodeB first leg
  • the monitoring system must identify the new call record for the UE on the second new eNodeB and combine the new call record (second leg) with the first call record. This can be difficult because the traffic on the first and second legs is ciphered, and the monitoring system must determine what keys to use to decipher the traffic on the second leg without the benefit of capturing the keys in a new AKA procedure.
  • the monitoring system disclosed herein allows tracking of the security keys to be applied either on Non Access Stratum (NAS) or Packet Data Convergence Protocol (PDCP), by means of monitoring the S1-MME interfaces (between the eNodeBs and the MMEs) and the S6a interfaces (between the MME and the HSS).
  • NAS Non Access Stratum
  • PDCP Packet Data Convergence Protocol
  • S1-MME interfaces between the eNodeBs and the MMEs
  • S6a interfaces between the MME and the HSS
  • a basic principle involved in the monitoring of handover UEs is the precalculation of a security key identified as the Next Hop (NH) key at the source side (first leg) of the handover.
  • the NH key is calculated using the K eNB key and is correlated with the target side (second leg) of the handover when NH is seen on the target side.
  • the monitoring system is also capable of tracking UE in the scenario known as "Handover Chaining" wherein the target side does a second handover to another eNodeB and so on.
  • LTE security and specifically NAS security such as native or mapped security contexts
  • the security architecture including the security features and the security mechanisms, and the security procedures performed within the EPC and the eUTRAN are set forth in Technical Specifications produced by the 3rd Generation Partnership Project (3GPP).
  • 3GPP 3rd Generation Partnership Project
  • One Technical Specification of interest is designated "Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; 3GPP System Architecture Evolution (SAE); Security architecture (3GPP TS 33.401 version 9.5.0 Release 9)" dated October 2010 (hereinafter "TS 33.401”), which is incorporated herein by reference in its entirety.
  • FIGURE 2 illustrates the Next Hop (NH) key derivation mechanism.
  • the MME derives a K eNB key from the basic K ASME key 201.
  • the K eNB key is then used for security of CP/UP on Uu interface.
  • the algorithm to derive the K eNB is described in TS 33.401 at Annex A.1 and A.3.
  • the NH key 204 is obtained from either the K eNB or from a previously derived NH key (e.g. 204a) in a chaining derivation as described in Annex A.4 of TS 33.401.
  • the NH key 204 is used to assure "forward security.” As a result, an eNodeB cannot predict the key that will be used by another eNodeB after a UE handover. When there is a handover, the K eNB * 203 key that is used between the UE and new eNodeB can be obtained either by the current K eNB or by the NH key 204a.
  • the K eNB (initial) key 202 is derived from K ASME 201.
  • Subsequent K eNB * keys 203 can be derived from the previous K eNB . This is called “horizontal key derivation" and is used during intra eNodeB handover.
  • NCC Next Hop Chaining Counter
  • the NH key 204a is derived again from the K ASME key 201 and the previous available NH key 204.
  • Each NH key has an associated NCC value 206.
  • the NCC (Next Hop Chaining Counter) value 0 (207) corresponds to a "virtual" NH key associated to the K eNB initial key 202.
  • a K eNB active key 208 is derived from a NH value 204a, the process is called “vertical key derivation.”
  • This "vertical key derivation" process is used by the monitoring system to link the different call legs during inter eNodeB handovers (S1-based or X2-based handover).
  • FIGURE 3 illustrates intra-MME mobility wherein a UE is handed over from source eNodeB 31 to target eNodeB 32 using S1-based signaling to the same MME 33.
  • Source eNodeB 31 decides to trigger an S1-based handover when, for example there is no X2 interface between the source and target eNodeBs 31, 32.
  • Source eNodeB 31 sends a Handover Required message (301) over the S1-MME interface..
  • the UE Prior to the handover procedure illustrated in FIGURE 3 , the UE (not shown) has been attached to source eNodeB 31. Traffic between the UE and MME 33 via eNodeB 31 is ciphered using keys obtained during an Authentication and Key Agreement (AKA) procedure.
  • the network monitoring system obtains the K ASME that is associated with the UE from the AKA procedure.
  • the monitoring system maintains a repository of UE contexts that have been used in the network.
  • the UE context repository stores the K ASME , NCC and NH parameters for each UE context used.
  • the MME 33 exchanges Handover Request (302) and Handover Request Ack (303) messages with target eNodeB 32 to provide the new eNodeB with the UE's security context information.
  • the Handover Request message (302) includes security context parameters that include security related information, such as the NCC and NH values.
  • the NCC and NH values are used by the monitoring system to query the UE context repository to get the K ASME that has been used by the UE.
  • the NH key is used by the monitoring system to bind the Source and the Target S1-MME paths (first and second legs) during the S1 handover.
  • the target eNodeB may decide to handover the UE to another (third) eNodeB.
  • the monitoring system can link together multiple legs for such handover chaining.
  • the monitoring system pre-computes the next NH value corresponding to the next NCC that will be used for the security context and then indexes the security context using the new NH value.
  • the new NH value will be detected in the new (third) eNodeB Handover Request message and can be used to link the legs among the different eNodeBs. This process can then continue when there is a subsequent handover to the fourth, fifth eNodeBs and so on.
  • Table 1 lists messages that are used to establish a security context for a UE and for handover of the UE.
  • the NH/NCC values are needed for binding the Handover Request with the UE context information, including the K ASME .
  • the NH parameter is a 32-byte value and should provide strong uniqueness across the MMEs for use as an index for the monitoring system. The chance of NH values colliding between two different UEs is very small. However, if two NH values do happen to collide it will result in incorrect correlation of the different handover call legs.
  • the MME 33 sends Handover Command message (304) to the source eNodeB 31 to inform it that the necessary resources for the handover have been prepared at the target side.
  • the monitoring system captures message 304 on the S1-MME interface and using the S1AP identifiers associates it to the UE.
  • Target eNodeB 32 sends Handover Notify message (305) when the UE attaches to the target eNodeB 32.
  • the monitoring system captures message 305 on the S1-MME interface to the target eNodeB and using the S1AP identifiers associates it to the UE.
  • a current security context on call leg 1 includes source "eNB UE S1AP ID” (401) and "MME UE S1AP ID” (402) parameters associated with known security information such as a KASME (403), and derived KeNB (404), NCC (405) and NH (406) values.
  • Call leg 2 includes UE context information for a security context detected by the monitoring system.
  • the "Target MME UE S1AP ID" (409) parameter is captured from Handover Request message 302.
  • the NCC and NH values (410-411) are captured from the Security Context parameters in the Handover Request message 302. This information (409-411) applies to a current security context on call leg 2 (408).
  • the Target eNB USE S1AP ID (412) data is captured from the Handover Request Ack message 303.
  • the monitoring system knows that these legs do not apply to the same security context and, therefore, they likely do not correspond to the same UE. Accordingly, the monitoring system will not link Leg 1 (407) and Leg 2 (408). The monitoring system will capture additional UE context information from other Handover Required (301) messages, such as shown in Leg 3 (413). The NCC value and NH Key for Leg 3 (413) do not match the other entries in the UE context table 400, and so the monitoring system will not link the entries.
  • the monitoring system will capture data for Leg 4 (414) from other Handover Request and Handover Request Ack messages.
  • Leg 4 (414) includes NCC and NH key values that match the entry for Leg 1 (407).
  • the monitoring system will recognize this match and will know to link the call records and security context information for Leg 1 (407) and Leg 4 (414).
  • the monitoring system now knows that K ASME (403) and derived K eNB (404) for Leg 1 (407) should be used to decipher traffic associated with Leg 4 (414).
  • the monitoring system may use the NH key and NCC parameters to link different legs of a UE as it is handed-over among different eNodeBs.
  • the monitoring system will still be able to captures the NH and NCC values if it is monitoring the S10 interface between the MMEs ( FIGURE 1 ) in addition to the S1-MME interface.
  • the monitoring system may add entries to a UE context tracking table, such as table 400, for messages captured on the S10 interface in the same manner as used for messages captured from the S1-MME interface.
  • monitoring the S10 interface is not necessary if both the source and target eNodeBs are monitored by the same monitoring system.
  • the monitoring system is also able to detect handovers that are coordinated between the source and target eNodeBs on the X2 interface in case of inter-eNodeB mobility.
  • FIGURE 5 illustrates the messages that are exchanged on the X2 and S1 interfaces for X2 handover.
  • the X2 handover procedure is used to switch the existing eUTRAN Radio Access Bearer (E-RAB) for the UE to a new, target eNodeB.
  • E-RAB eUTRAN Radio Access Bearer
  • This mobility scenario is referred to as "X2-based mobility" as the X2 interface is involved in establishing the handover.
  • the source eNodeB 51 sends Handover Request message 501 to target eNodeB 52 over the X2 interface.
  • Target eNodeB 52 acknowledges the handover request in Handover Request Ack message 502.
  • Target eNodeB 52 then sends a Path Switch Request message 503 to MME 53 with a listing of each E-RAB that needs to be switched to the target eNodeB 52.
  • Path Switch Request message 503 includes the value of the "Source MME UE S1AP ID" used for the existing security context.
  • MME 53 sends a Path Switch Request Acknowledge message 504 back to the target eNodeB 52.
  • the target eNodeB 52 Upon receipt of message 504, the target eNodeB 52 has all the needed security information to continue deciphering traffic for the UE after the handover and it sends UE Context Release message 505 to the source eNodeB 51.
  • Path Switch Request Acknowledgement message 504 includes the parameters listed in Table 2. TABLE 2 MAJOR PARAMETERS PURPOSE eNB UE S1AP ID Signaling connection identifier at the Target eNodeB side for the S1 signaling connection MME UE S1AP ID Signaling connection identifier at the MME side Security Context New fresh NH Key and NCC values
  • the NH Key and NCC parameters in the Path Switch Request Acknowledgement message (504) can be used to link the new leg on the target eNodeB with the corresponding existing UE security context on the source eNodeB.
  • the "eNB UE S1AP ID" and "MME UE S1AP ID” parameters in message 504 can be used to identify the messages on the new leg for the UE security context information.
  • the monitoring system applies a similar key tracking mechanism as used in the Intra-MME/S1-based handover described above.
  • the monitoring system obtains the K ASME from AKA procedures and the K eNB from S1-AP Initial Context Setup request/S1-AP UE Context modification procedures.
  • the NH key is obtained from S1-MME Path Switch Request Acknowledge message 504 and is used by the monitoring system to bind the source and the target S1-MME paths during the X2 handover.
  • the monitoring system pre-computes the next NH value corresponding to the next NCC and indexes the security context using this new NH value.
  • this new NH value will be used and detected by the monitoring system. The monitoring system will then be able to link the records for additional call legs using the NH value.
  • the monitoring system will take into account the EPS Mobility Management (EMM) and EPS Connection Mangement (ECM) states while monitoring the UE.
  • EMM states describe the UE states that result from the mobility management procedures.
  • ECM states describe if the UE is IDLE or CONNECTED..
  • EMM-DEREGISTERED state the EMM context in MME holds no valid location or routing information for the UE.
  • the UE enters the EMM-REGISTERED state by a successful registration with an attach procedure to the eUTRAN.
  • the EMM-REGISTERED state the UE can receive services that require registration in the EPS.
  • the EMM-REGISTERED state the UE has at least one active PDN connection and setup the EPS security context.
  • a UE is in ECM-IDLE state when there is no NAS signaling connection between UE and the network. There is no UE context in the eUTRAN for the UE in the ECM-IDLE state, so there is no S1-MME connection for this UE.
  • the ECM- CONNECTED state the UE location is known in the MME with an accuracy of a serving eNodeB.
  • a signaling connection exists between the UE and the MME.
  • the signaling connection referred here is made up of two parts: the RRC connection and the S1-MME connection.
  • the monitoring system takes the following actions when the UE transitions to the various states.
  • the EPS NAS Detach procedure causes this transition.
  • the mapped security contexts are deleted and NH/NCC are deleted as well.
  • the UE shall use the native EPS NAS security context stored on the USIM.
  • the eKSI index corresponding to this native security context shall be monitored by the network monitoring system in the S1-AP Initial UE message. If that context was not the "current" context, the MME shall trigger a NAS SMC procedure to make it current. Or the MME might decide to perform a new NAS AKA and NAS SMC procedure to change it.
  • the MME when the source MME has successfully performed a NAS Security Mode Command (SMC) procedure (taking a new K ASME into use), but has not yet successfully performed a UE Context Modification procedure (which takes a K eNb derived from the new K ASME into use), the MME includes both the old K ASME with the corresponding eKSI, NH, and NCC, and a full EPS NAS security context based on the new K ASME in the S10 FORWARD RELOCATION message. So the network monitoring system on the source side has to derive a new NH value based on the new K eNb in the UE Context Modification procedure, and the old NH key is deleted.
  • SMC NAS Security Mode Command
  • the old NH is used to bind to source S1 side.
  • the new K ASME and eKSI are stored as a new EPS security context and will be used decipher the NAS payload.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
EP11194008.6A 2010-12-21 2011-12-16 LTE network call correlation during user equipment mobility Active EP2469763B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/974,762 US8681740B2 (en) 2010-12-21 2010-12-21 LTE network call correlation during User Equipment mobility

Publications (2)

Publication Number Publication Date
EP2469763A1 EP2469763A1 (en) 2012-06-27
EP2469763B1 true EP2469763B1 (en) 2016-03-23

Family

ID=45418432

Family Applications (1)

Application Number Title Priority Date Filing Date
EP11194008.6A Active EP2469763B1 (en) 2010-12-21 2011-12-16 LTE network call correlation during user equipment mobility

Country Status (4)

Country Link
US (1) US8681740B2 (zh)
EP (1) EP2469763B1 (zh)
JP (1) JP2012134979A (zh)
CN (1) CN102724664B (zh)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140116090A (ko) * 2011-12-08 2014-10-01 인터디지탈 패튼 홀딩스, 인크 하이 레이트 이중 대역 셀룰러 통신
US8874103B2 (en) * 2012-05-11 2014-10-28 Intel Corporation Determining proximity of user equipment for device-to-device communication
CN103428690B (zh) * 2012-05-23 2016-09-07 华为技术有限公司 无线局域网络的安全建立方法及系统、设备
US9137690B2 (en) 2012-09-18 2015-09-15 Tektronix, Inc. Multiple protocol session record mapper
JP5920169B2 (ja) * 2012-10-22 2016-05-18 富士通株式会社 不正コネクション検出方法、ネットワーク監視装置及びプログラム
WO2014101137A1 (zh) * 2012-12-28 2014-07-03 华为技术有限公司 通信系统间的消息处理方法及设备
JP6263817B2 (ja) * 2013-03-29 2018-01-24 インテル アイピー コーポレーション 無線ネットワークモビリティ手続きの管理技術
US9485679B2 (en) * 2013-06-19 2016-11-01 Nsrs Comms Ireland Limited Apparatus and method for analyzing the quality of a cell in a mobile device network
CN105557062B (zh) * 2013-07-03 2019-06-28 交互数字专利控股公司 用于接近服务的epc增强
US9432867B2 (en) * 2013-09-17 2016-08-30 Cellos Software Ltd. Method and network monitoring probe for tracking identifiers corresponding to a user device in wireless communication network
US9467926B2 (en) 2014-04-28 2016-10-11 Intel IP Corporation Apparatus, method, and system of establishing a connection between a cellular node and a core network
US10004017B2 (en) * 2014-08-13 2018-06-19 Yulong Computer Telecommunication Scientific (Shenzhen) Co., Ltd. Switching method and switching system between heterogeneous networks
US10425913B2 (en) * 2015-02-12 2019-09-24 Netscout Systems Texas, Llc Automated equipment characterization from wireless network data
US10098007B2 (en) * 2016-08-15 2018-10-09 T-Mobile Usa, Inc. Coverage management for wireless communication network
CN106961681A (zh) * 2017-02-10 2017-07-18 北京浩瀚深度信息技术股份有限公司 一种lte系统内部多接口密钥处理方法及装置
US10631182B2 (en) * 2017-04-17 2020-04-21 Netscout Systems, Inc. Monitoring deciphered S1 packets on unified serving nodes
US11071021B2 (en) * 2017-07-28 2021-07-20 Qualcomm Incorporated Security key derivation for handover
CN111480352B (zh) * 2017-09-12 2021-10-08 约翰·梅扎林瓜联合有限公司 用于lte网络基于边缘的特定于位置的警报系统
US10542442B2 (en) 2018-06-08 2020-01-21 T-Mobile Usa, Inc. Dominance-based coverage management for wireless communication network
US11057766B2 (en) * 2018-11-01 2021-07-06 Nokia Technologies Oy Security management in disaggregated base station in communication system
WO2020142884A1 (zh) * 2019-01-07 2020-07-16 华为技术有限公司 切换传输路径的方法及装置
CN114513790B (zh) * 2019-05-31 2023-10-10 荣耀终端有限公司 获取安全上下文的方法和网络设备
US11425557B2 (en) * 2019-09-24 2022-08-23 EXFO Solutions SAS Monitoring in a 5G non-standalone architecture to determine bearer type
US11451671B2 (en) 2020-04-29 2022-09-20 EXFO Solutions SAS Identification of 5G Non-Standalone Architecture traffic on the S1 interface

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3996288B2 (ja) * 1998-12-07 2007-10-24 株式会社日立製作所 通信ネットワークシステムの管理方法および情報中継装置
US7483374B2 (en) * 2003-08-05 2009-01-27 Scalent Systems, Inc. Method and apparatus for achieving dynamic capacity and high availability in multi-stage data networks using adaptive flow-based routing
ATE383039T1 (de) * 2004-01-30 2008-01-15 Ericsson Telefon Ab L M Verfahren zur bestimmung der leistungsfähigkeit von mobilfunkendgeräten in einem im betrieb befindlichen mobilfunknetz
US7864731B2 (en) * 2006-01-04 2011-01-04 Nokia Corporation Secure distributed handover signaling
TWI543644B (zh) * 2006-12-27 2016-07-21 無線創新信號信託公司 基地台自行配置方法及裝置
EP2272262B1 (en) * 2008-05-02 2018-02-07 Nokia Technologies Oy Circuit switched domain codec list for single radio voice call continuity
CN101610506B (zh) * 2008-06-16 2012-02-22 上海华为技术有限公司 防止网络安全失步的方法和装置
FI20095143A0 (fi) 2009-02-16 2009-02-16 Nethawk Oyj Reaaliaikainen verkkodatan analysointijärjestelmä
CN101505479B (zh) * 2009-03-16 2014-04-30 中兴通讯股份有限公司 一种认证过程中安全上下文协商方法和系统
WO2010119656A1 (ja) * 2009-04-17 2010-10-21 パナソニック株式会社 無線通信装置
CN101925059B (zh) * 2009-06-12 2014-06-11 中兴通讯股份有限公司 一种切换的过程中密钥的生成方法及系统
US9144050B2 (en) * 2009-12-17 2015-09-22 Telefonaktiebolaget L M Ericsson (Publ) Methods and apparatus for use in a communications network
KR101784264B1 (ko) * 2010-04-28 2017-10-11 삼성전자주식회사 이동 통신 시스템에서의 핸드오버 방법 및 장치

Also Published As

Publication number Publication date
CN102724664B (zh) 2016-12-07
US8681740B2 (en) 2014-03-25
JP2012134979A (ja) 2012-07-12
CN102724664A (zh) 2012-10-10
US20120155428A1 (en) 2012-06-21
EP2469763A1 (en) 2012-06-27

Similar Documents

Publication Publication Date Title
EP2469763B1 (en) LTE network call correlation during user equipment mobility
US9071962B2 (en) Evolved packet system non access stratum deciphering using real-time LTE monitoring
US9686675B2 (en) Systems, methods and devices for deriving subscriber and device identifiers in a communication network
US7961875B2 (en) Means and method for ciphering and transmitting data in integrated networks
EP2469761B1 (en) Topology detection of LTE nodes
US11658817B2 (en) Security key usage across handover that keeps the same wireless termination
US8964695B2 (en) Optimization of handovers to untrusted non-3GPP networks
US8477621B2 (en) Multiple protocol correlation and topology detection in eHRPD networks
JP2012500511A (ja) 移動通信システムの保安化された非接続階層プロトコル処理方法
US20080181411A1 (en) Method and system for protecting signaling information
US20240031893A1 (en) Managing ue connections after network topology change
CN111770492B (zh) 通信方法和通信设备
US8631234B2 (en) Apparatus and method for establishing encryption information common to a plurality of communication paths coupling two apparatuses
US10123204B2 (en) Splitting method, base station, and user equipment
US20100118774A1 (en) Method for changing radio channels, composed network and access router
Cao et al. Seamless and secure communications over heterogeneous wireless networks
Kozma et al. Traffic analysis methods for the evolved packet core
Manjaragi et al. Survey of Security Models in Heterogeneous Wireless Networks
Cheng et al. A Fast SA Update Mechanism for Secure SIP/IMS Mobility in Integrated UMTS-WLAN Networks

Legal Events

Date Code Title Description
AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20121221

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

INTG Intention to grant announced

Effective date: 20150826

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 784095

Country of ref document: AT

Kind code of ref document: T

Effective date: 20160415

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602011024267

Country of ref document: DE

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20160323

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160623

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160624

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 784095

Country of ref document: AT

Kind code of ref document: T

Effective date: 20160323

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160723

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160725

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602011024267

Country of ref document: DE

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160623

26N No opposition filed

Effective date: 20170102

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20170316 AND 20170323

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

Effective date: 20170831

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20161216

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20170102

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20161231

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20161231

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20161216

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20111216

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20161216

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160323

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602011024267

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: H04L0012260000

Ipc: H04L0043000000

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20231213

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20231227

Year of fee payment: 13

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20231229

Year of fee payment: 13